External Username, Password, Email... dataset with Keycloak
by Reed Lewis
Hi,
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
7 years, 3 months
How to configure KeycloakAuthorization on Angular2 Application
by Carlos Feria
Hi all, good morning. I am coding an Angular2 application and I need to
implement Authorization like this example on Keycloak
https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz,
there are another example that indicates how to use Keycloak on Angular2
applications (
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...
)
My real problem is how to write responseError on Angular2? Have you ever
had this kind of problem?
This is the code(red code) that i want to pass to Angular2....please help
me.
module.factory('authInterceptor', function ($q, $injector, $timeout,
Identity) { return {
request: function (request) {
document.getElementById("output").innerHTML = '';
if (Identity.authorization && Identity.authorization.rpt && request.url.
indexOf('/authorize') == -1) {
retries = 0;
request.headers.Authorization = 'Bearer ' + Identity.authorization.rpt;
} else {
request.headers.Authorization = 'Bearer ' + Identity.authc.token;
}
return request;
},
responseError: function (rejection) {
var status = rejection.status;
if (status == 403 || status == 401) {
var retry = (!rejection.config.retry || rejection.config.retry < 1);
if (!retry) {
document.getElementById("output").innerHTML = 'You can not access or
perform the requested operation on this resource.';
return $q.reject(rejection);
}
if (rejection.config.url.indexOf('/authorize') == -1 && retry) {
var deferred = $q.defer();
// here is the authorization logic, which tries to obtain an authorization
token from the server in case the resource server
// returns a 403 or 401.
*Identity.authorization.authorize(rejection.headers('WWW-Authenticate')).then(function
(rpt) {*
* deferred.resolve(rejection);*
* }, function () {*
* document.getElementById("output").innerHTML = 'You can not access or
perform the requested operation on this resource.';*
* }, function () {*
* document.getElementById("output").innerHTML = 'Unexpected error from
server.';*
* });*
var promise = deferred.promise;
return promise.then(function (res) {
if (!res.config.retry) {
res.config.retry = 1;
} else {
res.config.retry++;
}
var $http = $injector.get("$http");
return $http(res.config).then(function (response) {
return response;
});
});
}
}
return $q.reject(rejection);
}
};
--
Carlos E. Feria Vila
7 years, 3 months
StaleCodeMessage on IDP Initiated SAML SSO
by Chris Brandhorst
I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should.
However, I can’t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name” field with a name (say “bbbbb”) in A.
When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb
i always end up with the following logging:
22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null
22:42:02,994 WARN [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage
22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage
Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that’s the whole idea of IDP Initiated SSO, no?
What must I do to get this to work?
Thanks,
Chris Brandhorst
7 years, 4 months
Performance lag in client role creation and retrieval
by Padmaka Wijaygoonawardena
Hi,
I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm
using has 2 Keycloak nodes and around 4000 client roles for one client. the
process I go through for adding is as follows:
1. GET call to check whether the role already exists. (takes around
2000ms)
2. POST call to create the new client role. (takes around 10000ms)
3. GET call to get the newly created client role(Since the create role
call doesn't send the full client role in the response body). (takes around
10000ms)
The Keycloak version I used earlier was 1.9.0 with that version this
process worked fine with one call taking around 700ms on average.
So as shown above this is a huge performance lag. With further
investigation I found the following points
1. When using only one Keycloak node this problem doesn't appear.
Therefore it should be some issue with infinispan cache.
2. When I remove the get calls and only send the create calls then the
calls return in 2000ms in average.
3. This lag only appears when executing a get role call soon after
creating a client role.
I double checked the changes for 2.3.0 [1] since there is nothing said
about cache or related issues I raised this issue.
Any advice or fix would be highly appreciated. Thanks in advance.
[1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html
Cheers,
Padmaka.
7 years, 4 months
ECP example?
by Carlos Villegas
I want to secure a servlet REST application. My client is java, so far
I've been using apache httpclient.
The Keycloak docs mention SAML ECP binding is supported, but I don't see
an example.
The admin pages seems to assume only POST or redirect binding.
Does the client adapter support ECP binding. Any pointers or help on how
to go about it?
I need help on both the client adapter and how to use Keycloak as a SAML
ECP IDP.
Thanks,
Carlos
7 years, 4 months
Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP)
by Andrey Saroul
We have an idea to isolate our application in our internal network so that
all communication in that network can go by HTTP.
So we've set up a public nginx server, witch is responsible for
establishing https connections.
Public nginx server forwards requests to another nginx server in secured
internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
But this configuration is not working because of invalid redirect issue.
In our client's json file we have to define auth-server-url with HTTPS
scheme. When we try to specify HTTP Keycloak no longer works.
So my question: is it possible to make things work by HTTP in internal
private network and HTTPS only remain for public access.
Any guidance will be appreciated.
7 years, 4 months
Re: [keycloak-user] Accessing JGroups ports in Docker keycloak-ha-postgres
by Staffan
After lots of experimentation, I found keycloak-mysql to be more useful
than keycloak-ha-postgres for HA in Kubernetes. See
https://github.com/jboss-dockerfiles/keycloak/pull/62
There is some more background in the JGroups mailing list thread "Expose
JGroups ports in Docker keycloak-ha-postgres".
/Staffan
On Tue, Nov 8, 2016 at 11:29 AM, Staffan <solsson(a)gmail.com> wrote:
> Hi,
>
> I've tried in different docker environments (compose, kubernetes,
> standalone) to get a HA setup running using https://hub.docker.com/r/
> jboss/keycloak-ha-postgres/.
>
> Keycloak nodes start all right, but are unaware of each other. Curiously I
> fail to reach the JGroups ports from any other container or host system.
>
> When I try -Djboss.bind.address.private=0.0.0.0 there's an error during
> startup:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [UDP] /
> 0.0.0.0 is not a valid address on any local network interface
> at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
> ChannelBuilder.java:80)
> Caused by: java.security.PrivilegedActionException:
> java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any
> local network interface
> at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
> WildFlySecurityManager.java:640)
> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address
> on any local network interface
> at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>
> ... or if I switch to stack="tcp" in the jgroups subsystem:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [TCP] /
> 0.0.0.0 is not a valid address on any local network interface
>
> I guess this is a generic Wildfly topic, but I'm curious how the official
> Keycloak docker containers are tested. In a docker context, the only two
> interfaces I can bind to are 0.0.0.0 and 127.0.0.1.
>
> regards
> Staffan Olsson
>
>
>
7 years, 5 months
Is there a way to include a link within an error message resource?
by Ben Quirk
My scenario: A user requests a password reset but their link expires. When
they click the link, they're shown an error message that comes from the
message property: "invalidCodeMessage".
Is it possible to include a new password reset link here so they can easily
request a new one?
I figured could do this in the template, however it looks like error.tpl is
used for all errors and the message is being rendered with
"${message.summary}" so I can't easily pass a message parameter through via
the template.
Thanks in advance,
Ben Quirk
7 years, 5 months